Wednesday, October 29, 2008

Errata Security endorses McCain

The choice in this election is between a small or large left-ward shift. McCain is a moderate Republican, Obama is a radical Democract. A bigger issue than the candidate is the Democrat-controlled congress. Our country was designed with the idea of checks and balances, but this system breaks down when the same party controls both the presidency and congress. Our country has prospered most when difference parties controlled these two branches of government.

Technology regulation is the biggest concern for us. McCain is famously over a hundred years old and has never sent an e-mail. Yet, Obama is not much better. Whereas neither candidate knows much about computers, McCain has extensive experience in telecoms regulation. It is here where McCain has demonstrated a greater understanding of the Internet and its history.

Obama has frequently described the Internet as something created by the government. In contrast, McCain watched the Internet evolve from its infancy. McCain remembers how the over-regulated telecommunications industry failed to innovate. He also remembers that the government did indeed design an Internet known as "GOSIP", and that this alternative Internet failed. McCain knows that today's Internet was designed not by government nor by corporations, but by mavericks that opposed both.

A test of the candidates' desire to regulate is "Net Neutrality". Obama sees this as government protecting the people. McCain sees this as yet another example of the type of overregulation that destroys innovation. What concerns McCain is that Net Neutrality laws protect business interests, giving power to those at the "ends" of the network (like search monopoly Google) over those providing Internet service (like AT&T). McCain is concerned with the fact that Google has spent millions lobbying congress to pass Net Neutrality legislation. McCain is worried about the way Google has hired former FCC employees and Internet luminaries to do its lobbying, exactly the sort of Washington cronyism that has stifled telecommunications for the last 30 years.

Government regulation cannot fix cybersecurity. There is a myth that some sort of "magic pill" will solve all security problems, and that government should just force everyone to take this "magic pill". This "magic pill" doesn't exist. If it did, everyone would have taken it already. No such pill will ever exist. Security is a tradeoff - each gain in security requires sacrificing something else. Different people want different tradeoffs and therefore different solutions (and different risks). Government regulation forces a one-size-fits all set of tradeoffs. We want less government regulation in cybersecurity. We want people to choose tradeoffs and risks for themselves.

The state of the art of hacking and defense changes faster than government regulators can keep up. Today's compliance issues were based on a model where hackers attacked "server" vulnerabilities. Now hackers target mostly "client" vulnerabilities, and those regulations are out of date. Regulatory compliance is forcing companies to keep their focus on the old threat rather than addressing these new threats.

Government regulation is corrupt. Laws are heavily influenced by lobbyists. Companies have cozy relationships with auditors that allow them to pass compliancy checks while having little or no security.

McCain is not our perfect candidate in regards to Internet regulation, but he is much better than Obama and the Democrat-controlled congress.

Economics is our second concern. Entrepreneurs and small companies drive the innovation in our industry. Most cybersecurity innovations come from the United States because of our business-friendly climate.

Obama's tax plan hurts small cybersecurity companies. The majority of people we know work 80-hour weeks. Their spare time is spent reading technical books to keep their skills sharp. They quit their jobs at large firms in order to create an independent consultancy or create a new product company. It is this highly skilled, hard working professional that Obama proposes to tax in order to send welfare checks to unskilled laborers that don't work as hard. The cybersecurity professionals we know don't have time to watch much TV, the average American receiving Obama's checks spends 28-hours a week in front of the TV. This income redistribution is a strong disincentive to entrepreneurs. Why improve your cybersecurity skills, work hard, or take the risk with a startup if you cannot enjoy the rewards of doing so? This is a selfish point of view, of course, but a large reason we support McCain.

Security is a luxury. It is one of first things companies cut when profits decline, it is one of the first things they invest in when things get better. Obama's anti-business policies, such as trade protectionism we cut corporate earnings and reduce their investment in cybersecurity.

And, the issue of regulation comes up again. American's start their own business at a rate of 10 to 1 vs. Europe precisely because it's easy. In most other countries, it can take a year's wages and months of hard work just to get the business licenses needed to start a company.

We are also concerned with foreign policy. Many foreign countries, notably China and Russia, have policies that encourage their citizens to attack American cyberspace. While we are not happy with the current president's Texas-cowboy approach of attacking foreign countries, neither are we happy with Obama's stated strategy of appeasement. We prefer McCain's more moderate approach between these two extremes. As a side note, we suggest that the next government respond in kind - making it easy for our own citizens respond to these attacks.

Both candidates displease us on certain issues. Both candidates failed on the issue of the so-called "Patriot" Act and the recent FISA bill. Both candidates fail on the issue of intellectual property. Both candidates fail on the issue of free speech, although we worry more about the passage of a so-called "Fairness" Doctrine next year designed to curtail right-wing speech.

These issues are like the slavery debate 200 years ago. The issues are so integrated into society that many people cannot see their obvious immorality. We understand how our society is based upon the protection of property rights, and how intellectual property is a leading American expert, but this should not blind us to the obvious abuse of intellectual property.

In summary, we believe John McCain is the best candidate for cybersecurity. The next president will not help cybersecurity much. The most we can hope for is that they resist the urge to meddle in something that government does not understand, cannot understand, and which will ultimately be driven more by special interests than technical knowledge.

29 comments:

"While we are not happy with the current president's Texas-cowboy approach of attacking foreign countries, neither are we happy with Obama's stated strategy of appeasement. We prefer McCain's more moderate approach between these two extremes."

I think you could do a better job laying out your conclusions. Regardless....

What about regulation? Regulations such as SOX, HIPAA, GBLA, and others have introduced security requirements that have both increased focus on security, and challenged us professionals. Under which administration would we be more likely to see reduced regulation and oversight?

First off, how does McCain voting with Bush over 95% of the time make him a "moderate" and which of Obama's polices make him a radical?

Second off, you're being willfully ignorant on the purpose of Network neutrality. How does stopping Comcast (a real monopoly, unlike Google) from cutting off traffic they don't like "destroy innovation"?

On taxes, returning a pre-bush level of taxation is not going to kill the start ups.

McCain has been famously wrong on "the fundamentals of our economy" in recent memory. When he realized his mistake he, had a knee jerk reaction and suspended his campaign. Meanwhile, Obama was proposing solutions to the problem.

Finally, one of the campaigns has continually tried to divide America. Telling people like myself that we are not "True Americans". Just because, I don't have the same political or religious leanings as them. I cannot understand how you can endorse such behavior.

Do you have a cite for said strategy of appeasement? Do you have a cite for said "more moderate approach"?

Meeting with foreign leaders without preconditions is an example. An example of the in between approach is making it clear that you believe Putin is a slimy dictator, but not invading his country to topple him.

A further note, they are both equally guilty of cronyism. Rick Davis, a former aide of McCain, has close ties to Freddie Mae, the very same John warned us all about. It's good to see he was cashing checks from both McCain and Freddie. I'm not advocating either President, personally. I'm just advocating not being ignorant. I'm a fan of the services Errata provides, but feel political endorsments may not be their forte. Of course, my opinion shouldn't matter much, being just another security-nut/troll.

Why is that such a bad idea? To meet with any leader without conditions? Why would we just shut the door to diplomacy? The entire difference in opinions is not to meet with Iran, but about the preconditions, right? I just don't see what is so un-American and putting our country at risk by engaging in diplomacy. At some point, Ronald Regan had to reach across the Iron Curtain and open dialogue. Was that dangerous? Was that bad for democracy?

Robert, no, it has increased focus on security, as a by-product. I've worked with several Fortune 500 companies, and honestly, IDS, IPS, and other security products does a good job on hackers. Spam is being blocked, fairly well, with those products. The aren't 100%, but they what is? My worries are internal. The employee that leaves a laptop at a hotel, or has one stolen from his car. The DBA who uses a weak SA account. While regulations might not be the best way to address these and other issues, they establish a standard. Before hand, Bank A might give a crap about Brand Protection, and IT Security and invest money to protect their data. Bank B might not care, and just let things be. Without that regulation, there is not a minimum standard.

First off, how does McCain voting with Bush over 95% of the time make him a "moderate"

Right-wing talk radio hates McCain only slightly less than Obama because they consider him a virtual democrat. If these wackos can see the difference, why can't you?

and which of Obama's polices make him a radical?

His policies are on the far left of the democratic party. His background is full of associations with even further left radicals. It's not that Ayers or Wright are particularly important so much that ALL of his past associations are with people like that.

Second off, you're being willfully ignorant on the purpose of Network neutrality. How does stopping Comcast (a real monopoly, unlike Google) from cutting off traffic they don't like "destroy innovation"?

Comcast hasn't been cutting off traffic they don't like. They have been trying to deal with fact that the heaviest users drive up the costs for everyone. Net Neutrality means that while it's ok to put a bandwidth cap at 250gig before cutting users off, it's not okay to allow users to exceed 250gig/month if they can put BitTorrent at a lower priority.

Solving congestion is one of the big unsolved problems in the Internet architecture, and NetNeutrality prevents carriers from trying out solutions.

On taxes, returning a pre-bush level of taxation is not going to kill the start ups.

Obama proposes returning to pre-Reagan level of taxation, and would indeed kill off a lot of startups.

McCain has been famously wrong on "the fundamentals of our economy" in recent memory.

No, he was right. The fundamentals of our economy are indeed sound outside the financial sector. His mistake was telling the truth rather than telling people what they wanted to hear.

Meanwhile, Obama was proposing solutions to the problem.

No, he really hasn't. This asset bubble is little different that than the many other asset bubbles we've seen in the last 100 years. The correct approach is for the government to soften the landing but to quickly let the assets reprice themselves.

Obama's policy is to go on a witch hunt and blame everyone he doesn't like for the mess. His policies will only extend the downturn if elected.

Finally, one of the campaigns has continually tried to divide America. Telling people like myself that we are not "True Americans". Just because, I don't have the same political or religious leanings as them. I cannot understand how you can endorse such behavior.

It's because you agree with Obama that you don't consider his statements hate speech. Replace "the rich" in his speeches with "the jews" and you'll see a lot of similarities with pre-WWII Germany.

Why is that such a bad idea? To meet with any leader without conditions? Why would we just shut the door to diplomacy?

For exactly the reason Hillary said in her debate with Obama. It's more of a propaganda win for them, and they aren't really interested in doing anything for us.

More importantly, WE KNOW WHAT THEY WANT. They want the United States to be an adversary. The more they can convince the United States is a threat, the more they can gain support for their own repressive policies. It's like how the Bush used the threat of Al Qaeda to become one of the most powerful presidents we've ever had.

It's like how China is constantly at odds with Japan -- the government intentionally foments hatred against the Japanese as a tactic to gain support from their own population. Unless Japanese give preconditions, a meeting between their leaders would be orchestrated by the Chinese to foment that hatred.

Robert, I think you're confused about the definition of appeasement. Negotiating is what you do with your enemies to avoid war (Kennedy during the missile crisis). Appeasement is capitulation to your enemy's actions. (Chamberlain with Hitler). It's important to know the difference.

The world is not black and white: nations are neither completely with us or completely against us. Politics is the job of protecting our national interests as best as possible and avoiding war at all costs. Any world view that doesn't include negotiating as a viable tool with our enemies is a naive world view.

I'm a fan of the services Errata provides, but feel political endorsments may not be their forte.

You are probably correct. What I think our forte is originality. I try to make sure that the things we put in our blog are things that you haven't heard before. I dare you to find anything that mentions GOSIP in relation to this campaign.

I'll grant you that is a good point. The Internet, as we know it, was largely developed by researchers and Universities. We've all seen the headaches and growing pains as this "project" has grown into something beyond what it was designed for. It's a beautiful problem to have, in my opinion. The real "kicker" is that a lot of that money that fueled the Internet was created by both special interest, and education and research ear-marks. The very same that fund fruit-fly research to understand and help prevent autism spectrum disorders. I'll not make the next connection. I feel both candidates will miss the mark, and as far as innovation goes, it's a shame that with as many brilliant Americans we have, McCain and Obama are the best we have to choose from...

But Stan, don't you know, it's always between a giant douche and a turd sandwich. Nearly every election since the beginning of time has been between some douche and some turd. They're the only people who suck up enough to make it that far in politics.

Best test to see if you are delusional about politics is if you believe your candidate ISN'T a douche/turd.

Robert: "More importantly, WE KNOW WHAT THEY WANT. They want the United States to be an adversary. The more they can convince the United States is a threat, the more they can gain support for their own repressive policies."

So by demanding pre-conditions we give them exactly what they want-- we become the adversary they were looking for. If we meet with them we come off as reasonable and it's harder for them to do so to their population. So my question to you is: why are you advocating a policy of appeasement?

"We are also concerned with foreign policy. Many foreign countries, notably China and Russia, have policies that encourage their citizens to attack American cyberspace. While we are not happy with the current president's Texas-cowboy approach of attacking foreign countries, neither are we happy with Obama's stated strategy of appeasement."

I believe McCain has the same cowboy approach to attack other countries as potential roots of terrorism. Russia, China, Iran, Iraq and other arab countries where is a lot of oil are all countries with "high" level of terrorism and it is a potential danger to the America.The comment about the anti-USA propaganda in Russia and China is as true, as it is in USA and I bet in the USA it is even bigger. Remember the recent war in Georgia/Russia. All the headlines wrote "Russia is the agressor" while in reality it is only half true. I do not say that the Russia is innocent, but every channel gave news from only one angle which favored Bush. The same with war in Iraq and Afganistan. And I'm absolutely sure that it will be the same if McCain is elected. Additionally, McCain hates Russia because of Vietnam and I think the same goes to China, but to be successful, you must be friends with big players and not throw knife into the back.

Well, unlike pretty much everyone else that has been here-I just wanted to leave my support for your comments. I feel the same way on most of the issues you chose to outline-which why I too will support McCain.

Robert - I admire the spunk in putting this up. But I have to ask, do you really advocate invading Putin's Russia? Dude, this ain't no Iraq or Afghanistan. We don't have the horses to do it!

I think you have a snowballs chance in hell of McCain winning this election. But if it is any consolation to you, no matter who is elected, the effect they will have on yours and mine every day life will probably be minimal.

Since Eric Schmidt was your "inspiration" perhaps you should have had the good taste to make the distinction between your personal political views and the brand you represent.

[Mr. Schmidt said in an interview that "I'm doing this personally," adding that "Google is officially neutral" in the campaign.]

In fact, you probably would have been better advised to take your "inspiration" from a well respected _security_ veteran instead...

["This is a security blog, not a political blog. As such, I have deleted all political comments below -- on both sides.. You are welcome to discuss this notion of security trade-offs and the appropriate level to make them, but not the election of the candidates." Schneier on Security blog, October 2008.]

But then again, I suppose I should expect that kind of over-zealous behaviour from a "right-wing extremist" ;-P

Mavericks built the Internet? Perhaps mavericks in government and academia funded by the DOD and NSF built the Internet. Then the government turned over a working network and its equipment over to the telecoms and others. Network Solutions had the sole contract for domain registrations after NSF awarded it to them. NSF was running the Internet until the whole thing was parceled out to the telecoms and Network Solutions in the early 1990's only after the light dawned on the idiot telecom executives that they could make money off of it. It didn't really take off though until CERN invented the http protocol and Jim Clark formed Netscape and made the first decent web browsers and servers based upon NCSA's versions.Then Apache came along and made web server software for free, but Apache started as a patch of the NCSA server. You guys must have spent more time coding and less time reading your own textbooks with the history of your own field.

I cringe when I see McCain championed as the poster-boy for libertarian ideals. And in this case, saying that he opposes internet regulations is just wrong from the outset. I'd like to remind you of the "Secure Public Networks Act" McCain co-sponsored that would have legislated government access to encryption keys. This was 10 some years ago, as the Internet was becoming much more widespread. Details of the bill that would have really gutted the Internet as a place of commerce and privacy can be found at: Center for Democracy and Freedom, as well as the EFF. McCain certainly isn't a champion of a hands off policy of the internet (unless it's in the best interest of his telecombackers).

Finally, I encourage you to read a post by Professor Spafford on a recent Obama visit to Purdue University where you can see that Obama doesn't have his head in the sand about issues of technology and the "cyber threat".

[Mr. Schmidt said in an interview that "I'm doing this personally," adding that "Google is officially neutral" in the campaign.]

Not true. Schmidt is the CEO, the "O" in his title means he is the officer of the corporation and that he doesn't have "personal" opinions. This is why Dan Geer got into trouble attacking Microsoft. As an "officer" of AtStake, Geer had no purely personal opinions. This is why I said "Errata Security" endorses McCain rather than "Robert Graham CEO".

["This is a security blog, not a political blog." Schneier on Security blog, October 2008.]

Also not true. Schneier's is the most intensely political blogs out there. He regularly distorts cybersecurity to promote his private political agenda. Again, I'm inspired by Schneier to discuss politics, but at the same time, do so honestly rather than covertly.

At the height of the cold war, DoD money flowed like water and touched ALL technology. Many more dollar's flowed into corporate networks, like IBM's BITNET, than to the Internet. The DoD and government grants spent 10 times more money developing the GOSIP protocols than they ever spent on TCP/IP. EVERYONE got government money -- the question is why Internet won while the rest lost. The answer is because they were mavericks.

By the way, web browsers/servers did not revolutionize the Internet. The Internet has had a smooth exponential growth since the early 1980s. The development of the web did not accelerate that exponential growth.

His policies are on the far left of the democratic party. His background is full of associations with even further left radicals. It's not that Ayers or Wright are particularly important so much that ALL of his past associations are with people like that

--

I respect your skills in the security space and bought Black ICE. But since you are dipping into political waters, I will comment. Your comment "ALL of his past associations"... immediately discredits many of your other comments as IMHO it reeks of right-wing Rovian soundbites and it's also just not true. Obama is certainly not perfect, but I voted for him and I'm glad he won over McCain as I feel that McCain ran on a fear-based ticket and does not represent the progress that we need as a nation. I don't feel the McCain was qualified. I can respect his PoW experience and his fundamental humanity but I think he's more of a make-believe-maverick than a real maverick and I'm happy that he didn't win.